Blowing the whistle without blowing your career

Cindy Waxer |
Oct. 8, 2014

How techies can bring data mishandling and abuses to light without putting their careers in jeopardy.

Credit: Brian Stauffer

Technology professionals are among today's most infamous whistleblowers. The list of those who have made headlines for exposing corporate or government skulduggery includes Shawn Carpenter, a network security analyst who blew the lid off a Chinese cyberespionage ring; Bradley (now Chelsea) Manning, who shared more than 250,000 classified State Department cables with WikiLeaks; and Edward Snowden, who leaked top-secret information about NSA surveillance activities.

But for every high-profile case, there are plenty of tales of IT professionals who have accused their employers of wrongdoing without making national headlines or feeling the need to seek asylum in foreign countries.

Take Nell Walton, for example. A former database administrator at Nova Information Systems (now Elavon), Walton filed a whistleblower complaint with the Occupational Safety and Health Administration in 2005 against the credit card processor for security violations on databases that contained billions of transaction records.

According to Walton, she repeatedly asked the company to bolster its database security -- a request that she claims prompted retaliation from Nova's "chain of command." Walton's complaint was dismissed by OSHA. She appealed the decision with the U.S. Department of Labor but eventually lost her case against Nova in a federal court. (Elavon didn't respond to an interview request.)

The case, which lasted nearly three years, cost Walton her job, physical health and nearly $50,000 in legal fees. "It totally pretty much wrecked my life for three years," she says. "Even after the case was over and we lost, it was just awful."

Such is the difficult and often stressful path for IT professionals who dare to expose what they perceive to be misconduct or negligence on the part of their employers. "It's like that saying from my childhood: Nobody likes a squealer," says James Lewis, director and senior fellow of the Strategic Technologies Program at the Center for Strategic and International Studies, a Washington-based think tank. "You can be noble and a whistleblower, but don't expect it to be an easy life."

Yet the potential for techies to become high-profile whistleblowers is growing, whether they like it or not. For starters, today's data deluge -- bits and bytes of information being generated by everything from assembly-line sensors to point-of-sale devices -- is fueling a demand for unprecedented data transparency. Suddenly, the public is requesting greater openness from IT departments regarding what data is being collected, how it's being used, how it's being secured and who's accessing it.

At the same time, the stakes have never been higher for organizations to keep their systems secure. According to Ponemon Institute's "2014 Cost of Data Breach Study: Global Analysis," a report sponsored by IBM, the average cost of a data breach to a company was $3.5 million, up 15% from the average reported by companies participating in last year's study. The 314 companies from 10 countries that took part in this year's study estimate they will be dealing with an average of 17 malicious codes and 12 sustained probes each month. IT teams must keep confidential data safe from these mounting threats or face the wrath of angry shareholders, fine-wielding regulatory bodies and disgruntled customers.